Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it again! He has just released the 2nd edition of "Max Power".Rather than get into details here, I urge you to check out this announcement post. It's a massive upgrade, and well worth checking out. -E

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Please change the display of the expiration date to ISO 8601 format: '%FT%R', which expands to 'yearWithCentury-month-dayOfMonth', a letter T, then 'hour:minute', all with zero-padding as needed. This should cause them to sort properly with no added sorting logic.

Re: SAM rule expiration sorting

I use them mostly as part of SmartEventís automatic responses.

Iím also working on giving my companyís incident response team access to create SAM rules to lower the latency in urgent blacklist requests. The current process involves IR opening a ticket, then waiting on a whole different part of the company (IR is under CISO, people who push firewall rules are under CTO; wildly different top-level incentives) to process it. Weíre working on upgrading to R80-family to take advantage of the more granular permissions, but we still have some old firewalls R80 no longer supports.

Re: SAM rule expiration sorting

Anyone still using block rules via fw sam and/or the Smartview Monitor should definitely check out the capabilities of fw samp if SecureXL is enabled. Drops are enforced very early in SecureXL thus avoiding the overhead going into the Firewall Path (F2F) where fw sam rules are enforced; great for killing massive flooding attacks with minimal impact on CPU utilization. There are a crapload of other features in fw samp as well including packet/bandwidth limits, total/new connections limits, blocking by geographic country, etc:

Right now fw samp can only be accessed from the CLI, but I seem to recall hearing there may be something on the roadmap to make this feature accessible through some kind of GUI.